Full-Cycle Program Intake

1 Program mandate

1.1 What is the trigger for building this program?

Regulatory mandate (INCD, BoI, compliance directive) — ref:Board / executive decisionPost-incident remediationMaturity initiative / strategic investmentOther:

1.2 Who is the executive sponsor?

Name:Role:Authority:

1.3 New program or maturing an existing one?

New program — no structured CTI capability existsMaturing — existing capability, extending scope or governanceRebuilding — previous capability dismantled or failed

1.4 Target maturity level in 12 months?

Level 1 — Ad hoc (reactive only)Level 2 — Defined (PIRs, source registry, basic products)Level 3 — Managed (regular products, sharing established, metrics tracked)Level 4 — Optimized (emulation, detection integration, regulatory compliant)

2 Stakeholders

2.1 Primary intelligence consumers?

Consumer	Role	Intelligence need	Cadence	TLP limit

2.2 Who has authority to approve and prioritize PIRs?

Name:Role:

2.3 Who will be accountable for program metrics?

Name:Role:

2.4 Who should NOT have visibility into the program's existence or findings?

Suspect insider, pending legal action, need-to-know restriction

3 Priority Intelligence Requirements

3.1 Top 3–5 questions the program must answer?

PIR	Stakeholder	Decision it drives	Review cadence

3.2 Any PIRs driven by a regulatory or compliance requirement?

Yes — PIR:No

3.3 PIRs that cannot currently be answered (collection gap)?

4 Collection requirements

4.1 Internal sources available?

4.2 External sharing relationships currently in place?

4.3 Top collection gaps?

Sources that would answer PIRs but are not yet available

4.4 Budget for new source subscriptions?

5 Sharing architecture

5.1 Intended external sharing partners?

5.2 Internal sharing requirements?

SOC, IR team, detection engineering, legal/compliance, executive

6 Team and resources

6.1 Analysts allocated to this program?

FTE:Contractors / MSSP:

6.2 Tooling available?

6.3 Annual program budget?

6.4 Skills gaps requiring training, hiring, or contractor support?

7 Governance

7.1 Reporting structure?

Reports to:Frequency:

7.2 Review cadence?

Weekly — tactical products, SOC alertsMonthly — strategic products, stakeholder briefingsQuarterly — PIR review, program metrics, maturity assessmentAnnual — charter review, budget justification

7.3 KPIs to measure program effectiveness?

e.g. PIR answer rate, detection coverage %, time-to-product, stakeholder satisfaction score

8 Regulatory context

8.1 Applicable compliance frameworks?

8.2 INCD MOU — status?

Active MOU in placeIn progress — expected:Not requiredRequired but not started

9 Analyst assessment

9.1 Current maturity level?

Level 1 — Ad hocLevel 2 — DefinedLevel 3 — ManagedLevel 4 — Optimized

9.2 Top 3 program risks?

1.

2.

3.

9.3 Recommended first 30-day actions?

What must happen to establish credibility, answer at least one PIR, and demonstrate value?

10 Analyst notes

Free-form notes from the intake call — raw, unprocessed

11 Next actions

#	Action	Owner	Due
1
2
3
4

Partner	Type	TLP limit	MOU needed?
CERT-IL	National CERT	GREEN	Yes
			YesNo
			YesNo
			YesNo

Framework	Applicable?	Key obligation	Deadline
INCD Directive	YesNo
BoI-CD 362	YesNo
GDPR	YesNo
	YesNo

Full-Cycle CTI Program Intake